Don Thibeau's Blog

Menu

Monthly Archives: October 2014

The name is the thing. The name of this Open Identity Exchange White Paper, the “ARPU of Identity”, is deliberate. ARPU, Average Revenue Per User, is one metric telcos use to measure success. By deliberately using a traditional lens that telcos use, this paper puts emerging Internet identity markets into a pragmatic perspective. The focus of the white paper is on how mobile network operators (MNOs) and other telcos can become more involved in the identity ecosystem and thereby improve their average revenue per user, or ARPU. This perspective continues OIX’s “Economics of Identity” series, or as some call it the “how do we make money in identity” tour in the emerging Internet identity ecosystem. OIX commissioned a white paper reporting the first quantitative analysis of Internet identity market in the UK, where HMG Cabinet Office hosted workshops on the topic at KPMG’s headquarters in London and at the University of Washington’s Gates Center in Seattle.

The timing of this paper on business interoperability is coincidental with work groups in the OpenID Foundation developing the open standards that MNOs and other telco players will use to ensure technical interoperability. GSMA’s leadership with OIX on pilots in the UK Cabinet Office Identity Assurance Program and in the National Strategy on Trusted identity in Cyberspace offer opportunities to test both business and technical interoperability leveraging open standards built on OpenID Connect. The timing is the thing. The coincidence of white papers, workshops and pilots in the US, UK and Canada with leading MNOs provides a real-time opportunity for telcos to unlock their unique assets to increase ARPU and protect the security and privacy of their subscribers/citizen.

In my OpenID Foundation blog, I referenced Crossing the Chasm, where Geoffrey A. Moore argues there is a chasm between future interoperability that technology experts build into standards and the pragmatic expectations of the early majority. OIX White Papers, workshops and pilots help build the technology tools and governance rules needed for the interoperability to successfully cross the “chasm.”

Several OIX White Papers speak to the “supply side” how MNOs and others can become Identity Providers (IDPs), Attribute or Signal Providers in Internet identity markets. Our next OIX White Paper borrows an industry meme (and T-Shirt) for its title, “There’s No Party Like A Relying Party”. That paper speaks to the demand side. Relying Parties, (RPs) like banks, retailers and others rely on identity attributes and account signals to better serve and secure customers and their accounts rely on technical, business and legal interoperability.

By looking at the “flip sides” of supply and demand, OIX White Papers help us better understand the ARPU, the needs for privacy and security and the economics of identity.

This week Open Identity Exchange publishes a white paper on the “ARPU of Identity”. The focus of the white paper is on how MNOs and telecommunications companies can monetize identity markets and thereby improve their average revenue per user, or ARPU. Its author and highly regarded data scientist, Scott Rice, makes a point that caught my eye. It’s the difficulty in federating identity systems because consumer consent requirements and implementations vary widely and are a long way from being interoperable. It got my attention because Open Identity Exchange and the GSMA lead pilots in the US and UK with leading MNOs with funding in part from government. The National Strategy on Trusted identity in Cyberspace and UK Cabinet Office Identity Assurance Program are helping fund pilots that may address these issues. Notice and consent involves a governmental interest in protecting the security and privacy of its citizens online. It’s a natural place for the private sector to leverage the public-private partnerships Open Identity Exchange has helped lead.

Notice and consent laws have been around for years. The Organization for Economic Co-operation and Development, or OECD, first published their seminal seven Privacy Guidelines in 1980. But in 1980, there was no world wide web nor cell phone. Credit bureaus, as we know them today, didn’t exist; no “big data” or data brokers collecting millions of data points on billions of people. What privacy law protected then was very different than what it needs to protect now. Back then, strategies to protect consumers were based on the assumption of a few transactions each month, not a few transactions a day. OECD guidelines haven’t changed in the last 34 years. Privacy regulations and, specifically, the notice and consent requirements of those laws lag further and further behind today’s technology.

In 2013 (and updated in March of this year), OIX Board Member company Microsoft, and Oxford University’s Oxford Internet Institute (OII) published a report outlining recommendations for revising the 1980 OECD Guidelines. Their report makes recommendations for rethinking how consent should be managed in the internet age. It makes the point that expecting data subjects to manage all the notice and consent duties of their digital lives in circa 2014 is unrealistic if we’re using rules developed in 1980. We live in an era where technology tools and governance rules assume the notice part of “notice and consent” requires the user to agree to a privacy policy. The pragmatic choice is to trust our internet transactions to “trusted” Identity Providers (IDPs), Service Providers (SPs) and Relying Parties (RPs). The SPs, RPs, IDPs, government and academic organizations that make up the membership of Open Identity Exchange share at least one common goal: increasing the volume, velocity and variety of trusted transactions on the web.

The GSMA, Open Identity Exchange and OpenID Foundation are working on pilots with industry leading MNOs, IDPs and RPs to promote interoperability, federation, privacy and respect for the consumer information over which they steward. The multiple industry sectors represented in OIX are building profiles to leverage the global adoption of open standards like Open ID Connect. Open identity standards and private sector led public-private partnership pilots help build the business, legal and technical interoperability needed to protect customers while also making the job of being a consumer easier.

Given the coincidence of pilots in the US, UK and Canada over the coming months, it is increasingly important to encourage government and industry leaders and privacy advocates to build on interoperability and standardization of consumer consent and privacy baked into standards like OpenID Connect brings to authentication.

Mobile Network Operators (MNOs) worldwide are in various stages of “crossing the chasm” in the Internet identity markets. As Geoffrey A. Moore noted in his seminal work, the most difficult step is making the transition between early adopters and pragmatists. The chasm crossing Moore refers to points to the bandwagon effect and the role standards play as market momentum builds.

MNOs are pragmatists. As they investigate becoming identity providers, open standards play a critical role in how they can best leverage their unique technical capabilities and interoperate with partners. The OpenID Foundation’s Mobile Profile Working Group aims to create a profile of OpenID Connect tailored to the specific needs of mobile networks and devices thus enabling usage of operator ID services in an interoperable way.

The Working Group starts with the challenge that OpenID Connect relies on the e-mail address to determine a user’s OpenID provider (OP). In the context of mobile identity, the mobile phone number or other suitable mobile network data are considered more appropriate. The working group will propose extensions to the OpenID discovery function to use this data to determine the operator’s OP, while taking care to protect data privacy, especially the mobile phone number. We are fortunate the working group is led by an expert in ‘crossing the chasm’ of email and phone number interoperability, Torsten Lodderstedt, Head of Development of Customer Platforms at Deutsche Telekom who is also an OpenID Foundation Board member.

The Working Group’s scope is global as geographic regions are typically served by multiple, independent mobile network operators including virtual network operators. The number of potential mobile OPs a particular relying party needs to setup a trust relationship with will likely be very high. The working group will propose an appropriate and efficient model for trust and client credential management based on existing OpenID Connect specifications. The Foundation is collaborating with the Open Identity Exchange to build a trust platform that combines the “rules and tools” necessary to ensure privacy, operational, and security requirements of all stakeholders.

Stakeholders, like service providers, may likely have different requirements regarding authentication transactions. The OpenID Connect profile will also define a set of authentication policies operator OP’s are recommended to implement and service providers can choose from.

This working group has been setup in cooperation with OpenID Foundation member, the GSMA, to coordinate with the GSMA’s mobile connect project. We are fortunate that David Pollington, Senior Director of Technology at GSMA, and his colleagues have been key contributors to the Working Group’s charter and will ensure close collaboration with GSMA members. There is an importance coincidence of the GSMA and OIX joint leadership of mobile identity pilots with leading MNOs in the US and UK. All intermediary working group results will be proposed to this project and participating operators for adoption (e.g. in pilots) but can also be adopted by any other interested parties. The OIX and GSMA pilots in the US and UK can importantly inform the OIDF work group standards development process. That work on technical interoperability is complemented by work on “business interoperability.” OIX will publish a white paper tomorrow, “The ARPU of Identity”, that speaks to the business challenges MNOs face leveraging the highly relevant and unique assets in Internet identity.

The OpenID Foundation Mobile Profile Working Group’s profile builds on the worldwide adoption of OpenID Connect. The GSMA and OIX pilots offer an International test bed for both business and technical interoperability based on open standards. Taking together with the ongoing OIX White Papers and Workshops on the “Economics of Identity”, “chasm crossing” is within sight of the most pragmatic stakeholders.

In a world where we constantly receive information at an ever-increasing rate, it’s hard for any one organization to stand out. It’s harder still to hold the attention of OIX members. They are a smart and sophisticated bunch when it comes to Internet identity. OIX members include industry leaders, venture-backed start-ups, universities and governments who are all focused on how to grow the volume, velocity and variety of trusted transactions on the web. So, I am thankful to the OIX members that joined the 2014 Member Meeting yesterday.

OIX is taking on some of the toughest obstacles to building trust in online identity. I highlighted the OIX pilot projects, white papers and workshops that contribute to containing costs and mitigating risk in deploying today’s Internet identity systems. I also teased the news of a team of rival global industry leaders joining together to bring to the market new options for certification and standards. The 2014 OIX Member Meeting presentation has been posted.

At the Member Meeting, I asked a favor: please take a few minutes to complete the OIX Member Survey that you recently received via email. OIX offers industry members the chance to shape the market they wish to lead. Your feedback helps shape OIX to meet your needs and the needs of your organization.